From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D477D32F769; Wed, 3 Dec 2025 15:51:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764777098; cv=none; b=TPPb8W+nS0uoZRmClyC+fNJ+3JQShX0JC4jlOm0zFuHSV33hyxHY1zc6rryUsNU877UcP9aNJq5YlQGLZRVHc9cCJvTIrj8sIWsRi5cmYgqFHlktjrS6UsmSmIHsta5BcFRzhoGv0aPwwnLu/xO2Xgp/CWew/TWuhkSiU60x7Gw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764777098; c=relaxed/simple; bh=GbneD417LM22WVtUO7CozkznesrO8JyVuYH59pBQm+w=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=se7EFS6fOCTHukadaIqZyXVxbe8ztB4JqsgPLOjfoA/GVBbv3t0mdXRs017LgkHkZ+ye4wBE6qi24EtfzfH0YVakjAtUAane7SQiyntxcWZpqaXi3XpiylR286rWTCSRKuyTmm8G4Dgb1zJf1k/76HUgNZMNQkbvJKOBdI148E4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=EDvuCLtX; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="EDvuCLtX" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5CB53C4CEF5; Wed, 3 Dec 2025 15:51:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1764777098; bh=GbneD417LM22WVtUO7CozkznesrO8JyVuYH59pBQm+w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EDvuCLtXGYwd0Q+6CITR6w0uMELX7zmGq1ZT6PlGTRISB8Ni1t/fstdz9r8YArBwK 8GdODK3fLdHBs14UVWxPAbYFGd+VGU1JzatfrUNIBR0XFPsyPkW6oC6Ls42La1DJ41 ISfznnx0aFMgWXg+t+d+Fmyfo1ZkQip2BGOBND2w= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, IncogCyberpunk , Douglas Anderson , Luiz Augusto von Dentz Subject: [PATCH 6.17 082/146] Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref Date: Wed, 3 Dec 2025 16:27:40 +0100 Message-ID: <20251203152349.464590856@linuxfoundation.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251203152346.456176474@linuxfoundation.org> References: <20251203152346.456176474@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.17-stable review patch. If anyone has any objections, please let me know. ------------------ From: Douglas Anderson commit c884a0b27b4586e607431d86a1aa0bb4fb39169c upstream. In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to: usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM) That function can return NULL in some cases. Even when it returns NULL, though, we still go on to call btusb_mtk_claim_iso_intf(). As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf() when `btmtk_data->isopkt_intf` is NULL will cause a crash because we'll end up passing a bad pointer to device_lock(). Prior to that commit we'd pass the NULL pointer directly to usb_driver_claim_interface() which would detect it and return an error, which was handled. Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check at the start of the function. This makes the code handle a NULL `btmtk_data->isopkt_intf` the same way it did before the problematic commit (just with a slight change to the error message printed). Reported-by: IncogCyberpunk Closes: http://lore.kernel.org/r/a380d061-479e-4713-bddd-1d6571ca7e86@leemhuis.info Fixes: e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()") Cc: stable@vger.kernel.org Tested-by: IncogCyberpunk Signed-off-by: Douglas Anderson Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Greg Kroah-Hartman --- drivers/bluetooth/btusb.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -2721,6 +2721,11 @@ static void btusb_mtk_claim_iso_intf(str if (!btmtk_data) return; + if (!btmtk_data->isopkt_intf) { + bt_dev_err(data->hdev, "Can't claim NULL iso interface"); + return; + } + /* * The function usb_driver_claim_interface() is documented to need * locks held if it's not called from a probe routine. The code here